Components

OSCAL component ~~include:~~are the backbone of an OSCAL System Security Plan (SSP), enabling data normalization of inventory, control responses and other key concepts.

Create an SSP component:

~~this~~to ~~system~~normalize inventory data, a
- Example: ~~component~~instead ~~that~~of ~~represents~~listing the ~~entire~~same ~~system~~OS and ~~everything~~its ~~within~~details ~~the~~in ~~authorization~~every ~~boundary~~inventory entry, define an OS compnent and link to it from inventory.
~~technical~~for ~~components~~control responses, ~~including~~
- Example: if it is appropriate to discuss an Identity, Credential and ~~physical~~Access ~~hardware~~Management as(ICAM) ~~well~~solution aswithin ~~software,~~a control response, define a component for it. If it is also necessary to discuss just the enterprise directory portion of that solution, consider also defining a component for that capability.

to represent third party validation
- Example: For US Government systems required to use FIPS-140-2/3 validated cryptographic modules, create a component for module and a second component representing the validation of that component. Link the two.

to represent external or underlying (leveraged) systems and services
- Example: Create a component for each cloud-native service, underlying general support system (GSS), cloud system or external/third-party capability used by your system.

Component Types

All components have a required type field. Certain component types, such as ~~routers, switches, firewalls, databases~~hardware and ~~web~~software ~~servers;~~have

~~documents~~,sub-types ~~such~~represented asusing ~~policies,~~an ~~procedures,~~asset-type ~~plans~~property.

~~and~~

~~guides;~~

Under

~~interconnections~~Development ~~between~~

~~other systems and this system;~~

~~leveraged systems~~ ~~sometimes called "leveraged authorizations"; and~~

~~cloud-native services~~.